1. Field of the Invention
The present invention generally relates to communications, and particularly relates to a method and apparatus for protecting user information.
2. Description of Related Art
The number of mobile terminals connected into a mobile internet is increasing. More and more applications are being deployed on the mobile internet. Currently, many mobile operators are actively deploying related platforms in order to fully utilize the mobile internet to obtain more business values.
Some mobile operators proposed a Value-added services general operation platform (VGOP). VGOP is a platform which uniformly develops, manages, operates and analyzes value-added services. The development and deployment of VGOP thereof make the mobile operators recognize that the importance of standardized management of value-added services increases significantly during the course of transition from a communication service provider to a content service provider.
Generally, VGOP is composed of five functional portions: the first is sale; the second is analysis; the third is interconnection and sharing; the fourth is operating management and monitoring; and the fifth is portal. The VGOP platform manages the above functions in an integrated manner, while enables uniform services and operations to the external.
In the VGOP platform or other similar platforms, a large amount of user-related information will be maintained and managed, which may be utilized by applications developed by the third-party companies. As these data are opened to the third-party applications, identity authentication and authorization is one of the important aspects. However, the third-party applications running on the platform are of huge number and various types. It is difficult for the mobile operators to establish trust relationships with each of the third-party applications one by one. Further, if there are no trust relationships between the third-party applications and the mobile service platform, it is difficult to ensure the security of the related user information in the platform.
Currently, if the mobile terminal accesses the third-party application and the third-party application needs to access mobile information platform to fulfill a service, there are generally two access flows. One is the mobile terminal accesses the third-party application directly, and then while the third-party application accesses the mobile service platform, if it is required for identity authentication/authorization, the third-party application will require the mobile terminal to tell account and password of this mobile terminal user in the mobile platform, and then the third-party application directly accesses the mobile service platform on behalf of the mobile user. In such a flow, the user account and password of the mobile terminal user in the mobile service platform will be leaked to the third-party application.
FIG. 1 shows the other flow: the mobile terminal accesses the mobile service platform, and passes the identity authentication and gets authorization of the mobile service platform. The subsequent accesses are accessing the third-party application via the mobile service platform. If the third-party application needs data in the mobile service platform, the third-party application can obtain the data in the mobile service platform directly. In this flow, there is a trust relationship between the third-party application and the mobile service platform, which is generally established by signing a contract. The detailed steps are as follows:                1) the mobile terminal issues an HTTP request to the mobile service platform, the HTTP request brings information that the third-party application needs for access;        2) the mobile service platform forwards the access request to the third-party application;        3) the third-party application needs to access the data in the mobile service platform, and transmits an HTTP request for data access or value-added service access to the mobile service platform;        4) if the mobile service platform needs to access a value-added service platform (for example, VGOP), it transmits a request for value-added service access to the value-added service platform;        5) the value-added service platform returns a response to the value-added service access;        6) the mobile service platform returns a response to the data access or the value-added service access to the third-party application;        7) the third-party application returns a response to the access of the mobile terminal to the mobile service platform; and        8) the mobile service platform returns the result of the access by the mobile terminal.        
However, as mentioned above, since the third-party applications on the VGOP platform are very rich, the mobile operators can not establish trust relationships with the providers of the third-party applications one by one. Therefore, the above-described existing access flow can not meet the requirement of new platform that can host large amount of various third-party applications.
Patent application WO 03/007102A (Modular Authentication and Authorization Scheme for Internet Protocol) proposed a system for three-party authentication and authorization. In the system, there is an authorizer especially responsible for authorizing user requests, and a service provider party makes response to the user requests according to the authorization result from the authorizer. This patent document requires the service provider to fully trust the authorization result from the authorizer, and the service party will not perform identity authentication/authorization by itself. This method needs a third-party, such as a mobile operator, which is trusted by both the user and the service provider.